from the oh-come-on-now dept

Just recently we wrote about why blockchain-based DRM was a terrible idea, and it could be summed up by the simple fact that a blockchain solves none of the "problems" of DRM today, and leverages none of the actual benefits of a blockchain. And... now I feel like writing basically the same exact post around blockchain voting. Like blockchain DRM, blockchain voting is one of those ideas that gets tossed around a lot. For decades, lots of people who actually understand computer security have explained why online voting is a horrifically bad idea in that it involves effectively unsolvable problems. It's not that it's a "hard" problem, it means that online voting is effectively impossible without massive changes to almost everything we do in ways that we can't really comprehend right now. There are some serious researchers who are thinking about this, but to date, there is nothing even remotely close to to being acceptable, and there may never be.

And yet, the "simplest" way that some people understand the risks of online voting is basically "it would be bad if someone could change your vote and no one would know." That's an easy to understand point to make, but the problems with online voting go way, way beyond that. Do a simple Google search on why online voting is a terrible idea and you'll get dozens of on-point results, but if you want a nice, simple explanation of just the first pass of potential risks with online voting, check out this video from a couple years ago by Princeton professor Andrew Appel, who has been studying voting security for many, many years:

It's 21 minutes, and if you're unsure of why internet voting is dangerous or think there's a simple solution, I'd urge you to watch it. But for those who don't, I'll just toss up one single slide from the presentation, which is not even remotely comprehensive in the list of potential problems with online voting:

That doesn't even get at a number of other potential issues (some of which are discussed in the video). And yet -- as with blockchain-for-DRM -- there's always someone who thinks that the only real problem is the double spend problem. Enter Alex Tapscott and the NY Times. Alex Tapscott is the son of Don Tapscott, who has written a number of fairly influential books related to technology and innovation, including "Growing up Digital" and "Wikinomics." In 2016, he teamed up with his son, Alex, and wrote a book called "The Blockchain Revolution," which is a fun read (they sent me a copy), if a bit overly excited in its analysis of potential implementations of the blockchain. As I've said in the past, I'm a believer that blockchain/tokens can completely revolutionize a few areas of the internet, but people have yet to really figure out which areas can take advantage of what is unique about the blockchain (beyond highly volatile currencies).

My favorite review of the book on its Amazon page includes this lovely sentence: "After the opening chapter, it turns into a rambling acid trip of delusional fantasies about exactly how blockchain will inevitably fix all the things wrong with society and the world."

Anyway, along comes Alex Tapscott and on election day, the NY Times gave him precious space to spew utter nonsense about how it's time for online voting... via the blockchain.

The key weakness of early online voting systems was the inability to solve what cryptographers called the “double spend problem.” When we send a file on the internet, we’re actually sending a copy of that file; the original remains in our possession. This is acceptable for sharing information but unacceptable for recording votes in elections. The possibility that individuals could cast their ballots multiple times for a candidate made these systems useless — just as vulnerable as paper ballot systems. Points of failure included susceptibility to hackers, coding bugs, and human error. With enough resources, any rogue could “stuff” a digital ballot box with illegitimate votes.

Except... that's not the key weakness in early online voting systems. It is one problem, but kinda far down the list. Look at that still from Appel's video above. Double spending isn't even there, really. Yet, Tapscott's piece acts as if it's the biggest problem, and easily solved with blockchain.

Since the NY Times published that article, plenty of folks with actual computer security expertise have stepped up to debunk it. Ben Adida, the Executive Director of a new organization called Voting Works, attempting to build secure, open source voting machines, actually debunked it a year ago (that's how good he is):

In a typical election setting with secret ballots, we need:

enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)

individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.

global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.

Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?

A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.

Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.

In a typical election setting with secret ballots, we need:

enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)

individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.

global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.

Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?

A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.

Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.

Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible—and I think it probably is—this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms.

For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials—or simply trick them into thinking they've cast a vote when they haven't.

[...]

But let's think about how this would play out in practice. Suppose it's mid-November 2020 and Donald Trump has narrowly won reelection. A few thousand voters in key swing states come forward to say that they intended to vote for Trump's opponent but their vote was recorded for Trump instead. Thousands of others say they tried to vote for Trump—or against him—but their votes weren't counted.

Was that due to hackers meddling with the vote, technical snafus, or user error? Were some of them just misremembering how they had cast their ballots? There would be no way to know for sure.

An important property for an election is finality: you want a well-understood process that makes people confident in the result. The paper-based process used in most states today isn't perfect, but it's pretty good on this score. Each vote is recorded on a paper ballot that's available for anyone to look at. Everyone understands how paper ballots work. People can observe the vote-counting process to verify that no ballots were altered. So not only does the process usually lead to an accurate count of peoples' votes, it also builds public confidence in the integrity of the result.

Blockchain voting would be much, much worse. Hardly anyone understands how a blockchain works, and even experts don't have a good way to observe the online voting process for irregularities the way an election observer does in a traditional paper election. A voter might be able to use her private key to verify how her vote was recorded after the fact. But if her vote wasn't counted the way she expected (or wasn't counted at all) she'd have no good way to prove that she tried to vote a different way.

Just a few months back, we also wrote about the terrible idea that West Virginia was experimenting with, via a company called Voatz (which is mentioned in Tapscott's article) that was building a "blockchain-based" system to allow military personnel overseas to vote via their mobile phones. And of course, as we noted at the time, it had all the same problems of all these systems. What it adds in "convenience" (if anything) is completely outdone by the security nightmare it creates.

Again, I still think blockchains have some potential to do some pretty useful things, but the idea that they can solve any old basically impossible under current realities technology problem by sprinkling magic "crypto" and "distributed" pixie dust on the problem is not a good look. Which should lead people to asking why the NY Times is publishing it without any fact checking at all?

[E]lection officials are encouraged to change passwords after every election. Passwords should also have the following characteristics: they should be at least six characters, preferably eight, and include at least one uppercase letter, a lowercase letter, at least one number and a symbol. It also says, though, that passwords should be easy to remember so that employees won't need to write them down, "yet sufficiently vague that they cannot be easily guessed."

Unisyn has apparently decided minimal security efforts are badly in need of disruption. To begin with, the device manual suggests users should simply use variations of the default password the devices ship with. That password is the company's name with a "1" appended to the end of it. This easily-guessed admin password should then be immediately replaced with… an easily-guessed password.

Once logged into the system the credentials needed to access the tabulation monitor or the system for creating reports of ballots and vote tallies are different. The username is again a simple word to log in. The password is the same word with "1" appended to it. Users are told that to change the password when prompted, they should simply change the number sequentially to 2, 3, 4, etc.

The Unisyn manual takes the EAC guidelines and throws them out. It then makes a minimal nod towards compliance before throwing everything out a second time. Remember the part about not writing down passwords? The sort of thing no one should do because it defeats the purpose of password security? Here's Unisyn's scorching hot take on EAC compliance:

"You will be periodically asked to change your password per EAC regulations," [the manual] notes. But instead of providing customers with sound instructions for changing passwords—such as creating completely new passwords and not re-using them—the manual instructs them to simply alternate between a system administrator and a root password each time they are prompted to change the password. Space is provided below this instruction for election workers to write down which password they are using at any given time.

If there's good news, it's that these machines aren't in use everywhere. Just 3,500+ jurisdictions in ten states. They're also fairly insulated from online attacks, since they're not supposed to be connected to the internet. This means attackers will most likely need physical access to the devices. Good thing these only get touched by non-election personnel every couple of years or so!

from the voting-village-strikes-again dept

Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It's a topic we've covered on Techdirt going back almost 20 years. But what's still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines:

Village co-organizer Harri Hurstitold attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year's show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal -- which is false.

Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.

Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying "don't pay any attention to Defcon." That letter was expertly debunked and mocked by reporter Kim Zetter:

In advance of the @VotingVillageDC tomorrow, ES&S sent a message to customers today with their comments about the hacking village and the security of their machines. I've pasted their memo below, with some annotation from me. pic.twitter.com/6eQUYuuGJA

In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.

And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree:

Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.

Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.

“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”

The really incredible part of this, of course, is that election officials and voting machine vendors don't embrace Defcon's vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored:

“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”

While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty -- and unconcerned with the terrible security associated with their machines.

from the you'd-think-we'd-learn-something dept

Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You'll recall that it's a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon's marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it's a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).

This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security’s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.

When Diachenko contacted the firm, he was told that they were a "small shop" and that "keeping track of everything can be tough." In a statement to ZDNet, which first reported the latest exposure, Robocent co-founder Travis Trawick did his best to downplay the exposure by insisting the data was stale, and publicly-available anyway:

"In an emailed statement, Robocent co-founder Travis Trawick confirmed that the data had been secured, and claimed that the data was from "an old bucket from 2013-2016 that hasn't been used in the past two years." He confirmed that the company is investigating the scope of the data that was accessible. "All exposed data was publically available information," he said, adding that he will contact affected customers "if required by law."

The problem: what's deemed "publicly available" varies from state to state. While voter data is generally a matter of public record, states like Maine and Massachusetts restrict the use of such data for political campaign purposes. Other States, like South Carolina, have restrictions on only selling said data if you're a registered voter in the state. And while the data may have been stale, it still wasn't adequately protected however you slice it; it was quickly indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be perused at your leisure.

This latest exposure is believed to be the fifth major breach of voter data in the last half-decade. It's a trend that shows no real sign of slowing down despite the simplicity of protecting this data and the rampant press coverage such exposures routinely receive.

from the you-guys-are-soooooooo-bad-at-this dept

We've been covering the mess that is electronic voting machines for nearly two decades on Techdirt, and the one thing that still flummoxes me is how are they so bad at this after all these years? And I don't mean "bad at security" -- though, that's part of it -- but I really mean "bad at understanding how insecure their machines really are." For a while everyone focused on Diebold, but Election Systems and Software (ES&S) has long been a bigger player in the space, and had just as many issues. It just got less attention. There was even a brief period of time where ES&S bought what remained of Diebold's flailing e-voting business before having to sell off the assets to deal with an antitrust lawsuit by the DOJ.

What's incredible, though, is that every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system -- and if you must have one at all, it must have a printed paper audit trail and not be accessible from the internet. Now, as Kim Zetter at Motherboard has reported, ES&S -- under questioning from Senator Ron Wyden -- has now admitted that it installed remote access software on its voting machines, something the company had vehemently denied to the same reporter just a few months ago. That was then:

In a statement, ES&S said, ‘‘None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.’’

This is now:

In a letter sent to Sen. Ron Wyden in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.

This should be a massive scandal considering the potential impact on our democracy, but considering all the other scandals going on right now with the potential to impact our democracy, expect this one to not get nearly enough attention. Wyden's own comment on this is noteworthy:

Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”

As for the pcAnywhere software ES&S had installed on those voting machines, well...

In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.

Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password.

So... that's disturbing.

Anyway, elections are a very tricky problem to do securely. It is a nearly impossible task. But there are lots of things that you clearly should not do, and for some reason, the e-voting manufacturers seem to want to do all of them, and don't seem particularly apologetic about any of it. And, while in the past the idea of hacking an election may have seemed far fetched and conspiracy-minded, these days... not so much. This is a key issue concerning our democracy, and the most incredible thing is how flippant many people are about all of this. Computer security professor Matt Blaze, who knows more about any of this than anyone reading this points out that "in the more than quarter century I've been doing computer security, I've never encountered a problem space nearly as difficult or complex as civil elections."

And yet, we're letting people who don't understand even the slightest bit of the problems and challenges run the show. What a mess.

from the oh-really-now? dept

One of the ridiculous parts of all of the discussions around "cybersecurity" concerns what should be considered "critical infrastructure." That's because, thanks to various executive orders, what the President declares as "critical infrastructure" leads to different cybersecurity requirements. There have been concerns that this will result in broadly classifying the internet as "critical infrastructure" in a manner that will lead to easier surveillance. But, as we noted nearly a decade ago, broadly classifying the internet as critical infrastructure would be silly, when the use of that designation should be narrowly focused on things like voting and banking (not to mention things like energy grids and water supplies).

Apparently, however, as the Obama administration is looking to respond to what it believes was Russian "interference" in the 2016 Presidential election, it is realizing that none of it targeted "critical infrastructure." And thus... it now wants to change the definition of what's covered. That should be concerning.

First off, at this point we should make a quick aside that there remains zero evidence released publicly that there was any actual hacking of our voting systems. None. Zip. Zero. And basically everything claiming otherwise has been partisan hackery. Before the election Trump supporters were going on and on about how voting machines could be hacked -- but have been mostly silent since the election. Instead, since the election ended, it's been Clinton supporters insisting that Russian hackers tampered with voting machines. For a decade and a half we've been warning about bad e-voting machines and how insecure they are, but so far no one has presented anything in the way of proof that electronic voting machines were hacked. Actual voting infrastructure is pretty clearly "critical infrastructure." But what about other things -- like the emails of top party leaders? Well, that's what the administration now seems to want to change into "critical infrastructure."

The sanctions portion of the package culminates weeks of debate in the White House on how to revise a 2015 executive order that was meant to give the president authority to respond to cyberattacks from overseas but that did not cover efforts to influence the electoral system.

[....]

But officials concluded this fall that the order could not, as written, be used to punish the most significant cyber-provocation in recent memory against the United States — Russia’s hacking of Democratic organizations, targeting of state election systems and meddling in the presidential election.

With the clock ticking, the White House is working on adapting the authority to punish the Russians, according to the officials, who spoke on the condition of anonymity to discuss internal deliberations. President Obama pledged this month that there would be a response to Moscow’s interference in the U.S. elections.

The targeting of "state election systems" definitely seems a bit more like it should obviously be considered "critical infrastructure" -- though those attacks on state systems were not targeted at the actual voting infrastructure, but computer systems that contained information about voters and such. But it seems a lot more questionable to argue that political parties' computer systems should automatically be seen as "critical infrastructure." That seems to be heading down the slippery slope of declaring certain individuals email accounts critical infrastructure, and lots of mischief could be associated with such a designation.

As the article notes, even though it's believed by many that Russian hackers got into election systems, it doesn't appear they did anything in those systems, so it's tough to show that there was actual harm:

“You would (a) have to be able to say that the actual electoral infrastructure, such as state databases, was critical infrastructure, and (b) that what the Russians did actually harmed it,” said the administration official. “Those are two high bars.”

Although Russian government hackers are believed to have penetrated at least one state voter-registration database, they did not tamper with the data, officials said.

It definitely seems that voting systems should be seen as critical infrastructure, but given how declarations of critical infrastructure come with some pretty hefty requirements -- and opening up the possibility of greater surveillance -- the administration should be pretty careful about expanding the list as a reactionary move to the last election.

from the that's-a-good-point dept

So lots of people have been discussing the story claiming that some e-voting experts believe the Clinton campaign should be asking for a recount in certain battleground states, where it's possible there were some e-voting irregularities. As we noted in our post, the story would barely be worth mentioning if one of the people involved wasn't Alex Halderman, a computer science professor we've been talking about for nearly a decade and a half, going back to when he was a student. Halderman is basically the expert on e-voting security -- so when he says something, it's worth paying attention.

Halderman has now posted something of a follow-up to the NY Magazine article clarifying his views and what he's suggesting. He's not saying there's evidence of a hack, but basically saying that no one knows if there was a hack or not, and because of that, there should be a recount as a way to audit the results to see if there were any irregularities.

After the election, human beings can examine the paper to make sure the results from the voting machines accurately determined who won. Just as you want the brakes in your car to keep working even if the car’s computer goes haywire, accurate vote counts must remain available even if the machines are malfunctioning or attacked. In both cases, common sense tells us we need some kind of physical backup system. I and other election security experts have been advocating for paper ballots for years, and today, about 70% of American voters live in jurisdictions that keep a paper record of every vote.

There’s just one problem, and it might come as a surprise even to many security experts: no state is planning to actually check the paper in a way that would reliably detect that the computer-based outcome was wrong. About half the states have no laws that require a manual examination of paper ballots, and most other states perform only superficial spot checks. If nobody looks at the paper, it might as well not be there. A clever attacker would exploit this.

There’s still one way that some of this year’s paper ballots could be examined. In many states, candidates can petition for a recount.

So, in effect, Halderman isn't saying that he's got evidence of e-voting fraud, but is simply arguing that if no one checks, no one will ever know. So we should check in order to be sure that there wasn't hacking. That's... pretty sensible.

Examining the physical evidence in these states — even if it finds nothing amiss — will help allay doubt and give voters justified confidence that the results are accurate. It will also set a precedent for routinely examining paper ballots, which will provide an important deterrent against cyberattacks on future elections. Recounting the ballots now can only lead to strengthened electoral integrity, but the window for candidates to act is closing fast.

Basically, the only way we can actually get an effective audit to see if there were any voting irregularities is to ask for a recount. The problem, of course, is a political one. If the Clinton campaign does call for a recount, it will immediately be seen as a political play, and lead to a ton of negative publicity. My guess is that the campaign won't want to go there. If we lived in a time where people were intellectually honest, the campaign could present it exactly the way Halderman has framed it -- not as a claim that they believe fraud happened, but rather as a way to ensure that the e-voting machines were accurate and not manipulated -- but does anyone think that the press (either those that supported or those that opposed Clinton) would treat it that way? It would become a complete mess in about two-and-a-half seconds.

And, that's unfortunate. Because as Halderman points out (and, like us, has been pointing out for over a decade), it absolutely is possible to hack most e-voting machines. Especially if the attacker is determined enough to do so:

Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

Could anyone be brazen enough to try such an attack? A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election. This summer, attackers broke into the email system of the Democratic National Committee and, separately, into the email account of John Podesta, Hillary Clinton’s campaign chairman, and leaked private messages. Attackers infiltrated the voter registration systems of two states, Illinois and Arizona, and stole voter data. And there’s evidence that hackers attempted to breach election offices in several other states.

In all these cases, Federal agencies publiclyasserted that senior officials in the Russian government commissioned these attacks. Russia has sophisticated cyber-offensive capabilities, and has shown a willingness to use them to hack elections. In 2014, during the presidential election in Ukraine, attackers linked to Russia sabotaged the country’s vote-counting infrastructure and, according to published reports, Ukrainian officials succeeded only at the last minute in defusing vote-stealing malware that was primed to cause the wrong winner to be announced. Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities.

So, yes, it would be good if the votes here were reviewed, if only as an opportunity to explore the potential problems of e-voting machines, rather than as a political ploy. The only problem is that everyone would see it as a political ploy and with political ploys comes general dumpster fires of idiocy.

from the life-lessons dept

A Florida man has been charged with felony criminal hacking charges after disclosing vulnerabilities in the voting systems used in Lee County, Florida. Security analyst David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the county's election systems. Levin was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond. Levin's first and biggest mistake was to post a video of himself on YouTube logging into the Lee County Elections Office network using the credentials of Sharon Harrington, the Lee County Supervisor of Elections.

That gave prosecutors the ammo they needed to arrest Levin, even if he believed he was doing locals a favor:

"Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony."

But at least a portion of Levin's crime may be of the political variety. In the video posted to YouTube Levin detailed the SQL injection alongside a man by the name of Dan Sinclair, who just so happens to be running against Harrington for the Elections Supervisor position. In the video, Levin details the relatively simple method of using a SQL injection attack to obtain login names and plain-text passwords belonging to Harrington and at least 10 other account holders:

"The server that was vulnerable to Levin's SQL injection attack, they said, had been retired in October. At the time of Levin's attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn't vulnerable to the attack, they said. Similarly, the CMS Levin logged into had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging into it didn't have the ability to post new pages to the site or to access voter data or tabulation systems, they said."

Granted it's not clear if the data, usernames and passwords used in the attack were also potentially useful in compromising any of the county's other systems, and Levin's currently too busy in the court system to offer additional insight.

At the end of the day there's plenty of fault and lessons to go around. The county obviously shouldn't keep systems with easily-exploitable vulnerabilities online, as such lower-level systems could open the door for attacks on higher-level operations. Levin meanwhile could have taken any number of steps to reveal the flaws without risking prosecution, and step one to not getting arrested for computer crimes usually involves you avoiding posting videos of you breaking the law on YouTube. Following Dan Kaminsky's guide on how to disclose vulnerabilities without getting arrested is a good starting point for anybody that may someday find themselves in Levin's shoes.

from the who-needs-lobbying? dept

Earlier this year, there was a lot of hype and uproar about the revelation that, back in 2012, Facebook had run an experiment on news feeds to see if it could make people happy or sad. While I really don't think the experiment was so crazy, others disagreed. Of course, that was hardly the only experiment that Facebook has run on its users, and over at Mother Jones, Micah Sifry last week revealed the details of another Facebook newsfeed experiment from 2012: one that influenced how and if people voted:

For one such experiment, conducted in the three months prior to Election Day in 2012, Facebook increased the amount of hard news stories at the top of the feeds of 1.9 million users. According to one Facebook data scientist, that change—which users were not alerted to—measurably increased civic engagement and voter turnout.

As the article notes, Facebook had experimented with "I'm Voting" or "I'm a Voter" buttons on its site to see if that would encourage friends to vote, but its civic engagement tactics have gone much further than that. Still, even all the way back in 2010, Facebook had realized that just using those "voter" buttons likely increased voting:

After the election, the study's authors examined voter records and concluded that Facebook's nudging had increased voter turnout by at least 340,000. As the study noted, that's about 0.14 percent of the total voting-age population in 2010. Considering that overall turnout rose from 37.2 percent in 2006 to 37.8 percent in 2010—both off-year, nonpresidential elections—the Facebook scientists maintained that the voter megaphone impact in 2010 was substantial. "It is possible," the Facebook team wrote in Nature, "that more of the 0.6 percent growth in turnout between 2006 and 2010 might have been caused by a single message on Facebook."

Now, for the 2012 experiment, which Facebook doesn't seem to want to talk about very much (and, in fact, it pulled a video about it, after Sifry started poking around, asking questions):

In the fall of 2012, according to two public talks given by Facebook data scientist Lada Adamic, a colleague at the company, Solomon Messing, experimented on the news feeds of 1.9 million random users. According to Adamic, Messing "tweaked" the feeds of those users so that "instead of seeing your regular news feed, if any of your friends had shared a news story, [Messing] would boost that news story so that it was up top [on your page] and you were much more likely to see it." Normally, most users will see something more personal at the top of the page, like a wedding announcement or baby pictures.

Messing's "tweak" had an effect, most strongly among occasional Facebook users. After the election, he surveyed that group and found a statistically significant increase in how much attention users said they paid to government. And, as the below chart used by Adamic in a lecture last year suggests, turnout among that group rose from a self-reported 64 percent to more than 67 percent. This means Messing's unseen intervention boosted voter turnout by 3 percent. That's a major uptick (though based only on user self-reporting).

There were also other experiments to see what types of messages (i.e., "I'm a Voter" vs. "I'm Voting") were more effective.

I'm sure that these kinds of efforts will concern some -- and there are already some people talking about "manipulating the election," but to some extent that's silly. The same is true of just about any political campaigning or "get out the vote" effort. Could there be some concern that Facebook has disproportionate power or (as the article suggests) really only helps one party (more Facebook users are Democrats)? Perhaps, but that's the nature of a (mostly) free and open society where we have democratic elections. Some percentage of the public votes, and lots of people are pushing to either get them to vote or to vote in certain ways. Facebook being a part of that seems interesting to note and to follow, but it's not necessarily a problem or something to be concerned about.